{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,5]],"date-time":"2026-03-05T16:17:46Z","timestamp":1772727466494,"version":"3.50.1"},"reference-count":50,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2025,2,5]],"date-time":"2025-02-05T00:00:00Z","timestamp":1738713600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Shilling and adversarial attacks are two main types of attacks against recommender systems (RSs). In modern RSs, existing defense methods are hindered by the following two challenges: (1) the diversity of RSs\u2019 information sources beyond the interaction matrix, such as user comments, textual data, and visual information; and (2) most defense methods are robust only against specific types of adversarial attacks. Ensuring the robustness of RSs against new adversarial attacks across different data sources remains an open problem. To address this problem, we propose a novel method that unifies adversarial attack detection, purification, and fake user detection in RSs by utilizing a guided diffusion adversarial purification network and a self-adaptive training technique. Our approach aims to simultaneously handle both known and unknown adversarial attacks on RSs\u2019 inputs and outputs. We conducted extensive experiments on three large-scale datasets to evaluate the effectiveness of the proposed method. The results confirm that our method can effectively eliminate adversarial perturbations on images and textual content within RSs, surpassing state-of-the-art methods by a significant margin. Moreover, it achieved the best results in three out of five evaluated shilling attack types. Finally, for attacks with realistic magnitudes, it can maintain baseline performance levels even when multiple attacks are applied simultaneously.<\/jats:p>","DOI":"10.3390\/sym17020233","type":"journal-article","created":{"date-parts":[[2025,2,6]],"date-time":"2025-02-06T04:47:31Z","timestamp":1738817251000},"page":"233","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["A Robust Recommender System Against Adversarial and Shilling Attacks Using Diffusion Networks and Self-Adaptive Learning"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9646-9457","authenticated-orcid":false,"given":"Ali","family":"Alhwayzee","sequence":"first","affiliation":[{"name":"Computer Engineering Department, Engineering Faculty, Ferdowsi University of Mashhad (FUM), Mashhad 9177948974, Iran"}]},{"given":"Saeed","family":"Araban","sequence":"additional","affiliation":[{"name":"Computer Engineering Department, Engineering Faculty, Ferdowsi University of Mashhad (FUM), Mashhad 9177948974, Iran"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2487-7950","authenticated-orcid":false,"given":"Davood","family":"Zabihzadeh","sequence":"additional","affiliation":[{"name":"Computer Engineering Department, Hakim Sabzevari University, Sabzevar 9617976487, Iran"}]}],"member":"1968","published-online":{"date-parts":[[2025,2,5]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Ovaisi, Z., Heinecke, S., Li, J., Zhang, Y., Zheleva, E., and Xiong, C. (2022, January 21\u201325). Rgrecsys: A toolkit for robustness evaluation of recommender systems. Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, Virtual.","DOI":"10.1145\/3488560.3502192"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Calandrino, J.A., Kilzer, A., Narayanan, A., Felten, E.W., and Shmatikov, V. (2011, January 22\u201325). \u201cYou might also like:\u201d Privacy risks of collaborative filtering. Proceedings of the 2011 IEEE Symposium on Security and Privacy, Oakland, CA, USA.","DOI":"10.1109\/SP.2011.40"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Fang, M., Yang, G., Gong, N.Z., and Liu, J. (2018, January 3\u20137). Poisoning attacks to graph-based recommender systems. Proceedings of the 34th Annual Computer Security Applications Conference, San Juan, PR, USA.","DOI":"10.1145\/3274694.3274706"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"767","DOI":"10.1007\/s10462-012-9364-9","article-title":"Shilling attacks against recommender systems: A comprehensive survey","volume":"42","author":"Gunes","year":"2014","journal-title":"Artif. Intell. Rev."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3652891","article-title":"A survey on trustworthy recommender systems","volume":"3","author":"Ge","year":"2022","journal-title":"ACM Trans. Recomm. Syst."},{"key":"ref_6","unstructured":"Jia, J., Liu, Y., Hu, Y., and Gong, N.Z. (2023). PORE: Provably Robust Recommender Systems against Data Poisoning Attacks. arXiv."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"110207","DOI":"10.1088\/1674-1056\/ad7e9a","article-title":"Finite-time decentralized event-triggered state estimation for coupled neural networks under unreliable Markovian network against mixed cyberattacks","volume":"33","author":"Wang","year":"2024","journal-title":"Chin. Phys. B"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1362","DOI":"10.1109\/TPAMI.2022.3217792","article-title":"Self-adaptive training: Bridging supervised and self-supervised learning","volume":"46","author":"Huang","year":"2022","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"He, R., and McAuley, J. (2016, January 12\u201317). VBPR: Visual bayesian personalized ranking from implicit feedback. Proceedings of the AAAI Conference on Artificial Intelligence, Phoenix, AZ, USA.","DOI":"10.1609\/aaai.v30i1.9973"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Yuan, Z., Yuan, F., Song, Y., Li, Y., Fu, J., Yang, F., Pan, Y., and Ni, Y. (2023, January 23\u201327). Where to go next for recommender systems? id-vs. modality-based recommender models revisited. Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, Taiwan.","DOI":"10.1145\/3539618.3591932"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Anelli, V.W., Deldjoo, Y., Di Noia, T., Malitesta, D., and Merra, F.A. (2021, January 11\u201315). A study of defensive methods to protect visual recommendation against adversarial manipulation of images. Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval, Montreal, QC, Canada.","DOI":"10.1145\/3404835.3462848"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Merra, F.A., Anelli, V.W., Di Noia, T., Malitesta, D., and Mancino, A.C.M. (2023, January 23\u201327). Denoise to Protect: A Method to Robustify Visual Recommenders from Adversaries. Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, Taiwan.","DOI":"10.1145\/3539618.3591971"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"855","DOI":"10.1109\/TKDE.2019.2893638","article-title":"Adversarial training towards robust multimedia recommender system","volume":"32","author":"Tang","year":"2019","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Song, J., Li, Z., Hu, Z., Wu, Y., Li, Z., Li, J., and Gao, J. (2020, January 20\u201324). Poisonrec: An adaptive data poisoning framework for attacking black-box recommender systems. Proceedings of the 2020 IEEE 36th International Conference on Data Engineering (ICDE), Dallas, TX, USA.","DOI":"10.1109\/ICDE48307.2020.00021"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Huang, H., Mu, J., Gong, N.Z., Li, Q., Liu, B., and Xu, M. (2021). Data poisoning attacks to deep learning based recommender systems. arXiv.","DOI":"10.14722\/ndss.2021.24525"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Zhang, H., Tian, C., Li, Y., Su, L., Yang, N., Zhao, W.X., and Gao, J. (2021, January 14\u201318). Data poisoning attack against recommender system using incomplete and perturbed data. Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, Virtual.","DOI":"10.1145\/3447548.3467233"},{"key":"ref_17","unstructured":"Wang, Z., Gao, M., Yu, J., Ma, H., Yin, H., and Sadiq, S. (2024). Poisoning attacks against recommender systems: A survey. arXiv."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Wu, C., Lian, D., Ge, Y., Zhu, Z., Chen, E., and Yuan, S. (2021, January 11\u201315). Fight fire with fire: Towards robust recommender systems via adversarial poisoning training. Proceedings of the 44th International ACM SIGIR Conference on Research and Development in Information Retrieval, Montreal, QC, Canada.","DOI":"10.1145\/3404835.3462914"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Jia, J., Cao, X., and Gong, N.Z. (2021, January 2\u20139). Intrinsic certified robustness of bagging against data poisoning attacks. Proceedings of the AAAI Conference on Artificial Intelligence, Virtual.","DOI":"10.1609\/aaai.v35i9.16971"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Lam, S.K., and Riedl, J. (2004, January 17\u201320). Shilling recommender systems for fun and profit. Proceedings of the 13th International Conference on World Wide Web, New York, NY, USA.","DOI":"10.1145\/988672.988726"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1023\/B:AIRE.0000036256.39422.25","article-title":"An evaluation of neighbourhood formation on the performance of collaborative filtering","volume":"21","author":"Hurley","year":"2004","journal-title":"Artif. Intell. Rev."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1145\/1278366.1278372","article-title":"Toward trustworthy recommender systems: An analysis of attack models and algorithm robustness","volume":"7","author":"Mobasher","year":"2007","journal-title":"ACM Trans. Internet Technol. (TOIT)"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1016\/j.knosys.2016.02.008","article-title":"Re-scale AdaBoost for attack detection in collaborative filtering recommender systems","volume":"100","author":"Yang","year":"2016","journal-title":"Knowl.-Based Syst."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Fang, M., Gong, N.Z., and Liu, J. (2020, January 20\u201324). Influence function based data poisoning attacks to top-n recommender systems. Proceedings of the Web Conference 2020, Taipei, Taiwan.","DOI":"10.1145\/3366423.3380072"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Hu, R., Guo, Y., Pan, M., and Gong, Y. (2019, January 9\u201313). Targeted poisoning attacks on social recommender systems. Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA.","DOI":"10.1109\/GLOBECOM38437.2019.9013539"},{"key":"ref_26","unstructured":"Bhaumik, R., Mobasher, B., and Burke, R. (2025, January 07). A Clustering Approach to Unsupervised Attack Detection in Collaborative Recommender Systems. In Proceedings of the International Conference on Data Science (ICDATA), 2011; Citeseer; p. 1. Available online: https:\/\/librarysearch.adelaide.edu.au\/discovery\/fulldisplay\/alma9928264932801811\/61ADELAIDE_INST:UOFA."},{"key":"ref_27","unstructured":"Zhang, Y., Tan, Y., Zhang, M., Liu, Y., Chua, T.-S., and Ma, S. (2015, January 25\u201331). Catch the black sheep: Unified framework for shilling attack detection based on fraudulent action propagation. Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, Buenos Aires, Argentina."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1016\/j.knosys.2016.11.021","article-title":"Robust collaborative filtering based on non-negative matrix factorization and L1-norm","volume":"118","author":"Zhang","year":"2017","journal-title":"Knowl.-Based Syst."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"2101","DOI":"10.3233\/JIFS-161705","article-title":"A novel robust recommendation method based on kernel matrix factorization","volume":"32","author":"Yu","year":"2017","journal-title":"J. Intell. Fuzzy Syst."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Ebrahimian, M., and Kashef, R. (2020). Detecting shilling attacks using hybrid deep learning models. Symmetry, 12.","DOI":"10.3390\/sym12111805"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"291","DOI":"10.1007\/s10462-018-9655-x","article-title":"Shilling attacks against collaborative recommender systems: A review","volume":"53","author":"Si","year":"2020","journal-title":"Artif. Intell. Rev."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Backstrom, L., and Leskovec, J. (2011, January 9\u201312). Supervised random walks: Predicting and recommending links in social networks. Proceedings of the Fourth ACM International Conference on Web Search and Data Mining, Hong Kong, China.","DOI":"10.1145\/1935826.1935914"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"31701","DOI":"10.1007\/s11042-023-16641-x","article-title":"T&TRS: Robust collaborative filtering recommender systems against attacks","volume":"83","author":"Rezaimehr","year":"2024","journal-title":"Multimed. Tools Appl."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Zhang, K., Cao, Q., Wu, Y., Sun, F., Shen, H., and Cheng, X. (2024). Lorec: Large language model for robust sequential recommendation against poisoning attacks. arXiv.","DOI":"10.1145\/3626772.3657684"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Wang, W., Xu, Y., Feng, F., Lin, X., He, X., and Chua, T.-S. (2023, January 23\u201327). Diffusion recommender model. Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval, Taipei, Taiwan.","DOI":"10.1145\/3539618.3591663"},{"key":"ref_36","unstructured":"Zhao, J., Wang, W., Xu, Y., Sun, T., and Feng, F. (2024). Plug-In Diffusion Model for Embedding Denoising in Recommendation System. CoRR."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Gao, J., Lanchantin, J., Soffa, M.L., and Qi, Y. (2018, January 24). Black-box generation of adversarial text sequences to evade deep learning classifiers. Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA.","DOI":"10.1109\/SPW.2018.00016"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Di Noia, T., Malitesta, D., and Merra, F.A. (July, January 29). Taamr: Targeted adversarial attack against multimedia recommender systems. Proceedings of the 2020 50th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Valencia, Spain.","DOI":"10.1109\/DSN-W50199.2020.00011"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2018, January 24). Audio adversarial examples: Targeted attacks on speech-to-text. Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA.","DOI":"10.1109\/SPW.2018.00009"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"7149","DOI":"10.1109\/TMM.2022.3217449","article-title":"Disentangled multimodal representation learning for recommendation","volume":"25","author":"Liu","year":"2022","journal-title":"IEEE Trans. Multimed."},{"key":"ref_41","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv."},{"key":"ref_42","first-page":"8780","article-title":"Diffusion models beat gans on image synthesis","volume":"34","author":"Dhariwal","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_43","unstructured":"Wu, Q., Ye, H., and Gu, Y. (2022). Guided diffusion model for adversarial purification from random noise. arXiv."},{"key":"ref_44","unstructured":"Rendle, S., Freudenthaler, C., Gantner, Z., and Schmidt-Thieme, L. (2012). BPR: Bayesian personalized ranking from implicit feedback. arXiv."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Wu, F., Qiao, Y., Chen, J.-H., Wu, C., Qi, T., Lian, J., Liu, D., Xie, X., Gao, J., and Wu, W. (2020, January 5\u201310). Mind: A large-scale dataset for news recommendation. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, Online.","DOI":"10.18653\/v1\/2020.acl-main.331"},{"key":"ref_46","unstructured":"Ronneberger, O., Fischer, P., and Brox, T. (2015). U-net: Convolutional networks for biomedical image segmentation. Medical Image Computing and Computer-Assisted Intervention\u2013MICCAI 2015: 18th International Conference, Munich, Germany, 5\u20139 October 2015, Proceedings, Part III 18, Springer."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"He, X., Liao, L., Zhang, H., Nie, L., Hu, X., and Chua, T.-S. (2017, January 3\u20137). Neural collaborative filtering. Proceedings of the 26th International Conference on World Wide Web, Perth, Australia.","DOI":"10.1145\/3038912.3052569"},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"9038","DOI":"10.1109\/TPAMI.2024.3416372","article-title":"GALA: Graph Diffusion-based Alignment with Jigsaw for Source-free Domain Adaptation","volume":"46","author":"Luo","year":"2024","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_49","first-page":"1","article-title":"A diffusion model for poi recommendation","volume":"42","author":"Qin","year":"2023","journal-title":"ACM Trans. Inf. Syst."},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Ju, W., Qin, Y., Qiao, Z., Luo, X., Wang, Y., Fu, Y., and Zhang, M. (December, January 28). Kernel-based substructure exploration for next POI recommendation. Proceedings of the 2022 IEEE International Conference on Data Mining (ICDM), Orlando, FL, USA.","DOI":"10.1109\/ICDM54844.2022.00032"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/2\/233\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T16:27:35Z","timestamp":1760027255000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/2\/233"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,5]]},"references-count":50,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2025,2]]}},"alternative-id":["sym17020233"],"URL":"https:\/\/doi.org\/10.3390\/sym17020233","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,5]]}}}